I have a project and apparently the designers of the software didn’t put security into consideration.
The passwords are stored in plain text and transmitted through plain text. So I am left with the task to fix this.
I am a bit rusty on security, so my question is: for online user password authentication is it better to use hashing/salting techniques or is it better to use AES encryption? Could I have the pros and cons.
Would it be better to somehow use the ASP.NET membership provider? Would this be easy to do? I have used that before, but the software calls on it’s own tables, so I’m not sure if that’s more trouble there.
If this has been answered could someone direct me there, because I didn’t find a comparison.
You should NEVER store passwords using symmetric encryption.
Random salt for every user, hash their password, store both the salt and hash in the database. Then on login requests you get the user by email/username/id etc, then use the salt tied to that user and hash their supplied password and then match it against the stored hash. If matches, login, else bad password.
If you use the built in ASP.NET membership provider it should do this for you.